High severityNVD Advisory· Published Mar 21, 2022· Updated Aug 3, 2024
CVE-2022-26183
CVE-2022-26183
Description
PNPM v6.15.1 and below was discovered to contain an untrusted search path which causes the application to behave in unexpected ways when users execute PNPM commands in a directory containing malicious content. This vulnerability occurs when the application is ran on Windows OS.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
PNPM v6.15.1 and below on Windows has an untrusted search path that can be exploited via malicious files in the working directory.
Vulnerability
PNPM versions 6.15.1 and earlier on Windows are vulnerable to an untrusted search path issue [1][2]. When a user executes a PNPM command in a directory containing malicious content, the application may load and execute arbitrary code from that directory instead of trusted system locations. This occurs because PNPM on Windows does not properly sanitize the search path used to locate executables or libraries, allowing attackers to plant malicious binaries or scripts in the current working directory that PNPM will inadvertently execute [3]. The affected versions are all releases up to and including v6.15.1.
Exploitation
An attacker must first place a malicious file (e.g., a .exe, .bat, or .dll) in a directory that the victim will later run a PNPM command from. The attacker could achieve this by convincing the victim to clone a malicious repository, download a zip archive, or navigate to a shared network folder under the attacker's control. No authentication or special privileges are required beyond the ability to write a file to the target directory. When the victim then executes any pnpm command (such as pnpm install or pnpm add) from that directory, PNPM will search for dependencies or child processes using the untrusted path and may execute the attacker's payload instead of the legitimate system binary [1][3]. No user interaction beyond running the command is needed; the attack triggers automatically upon command execution.
Impact
Successful exploitation allows an attacker to achieve arbitrary code execution on the victim's Windows machine [1][2]. The injected code runs in the context of the PNPM process, inheriting the user's privileges. This could lead to full compromise of the development environment, including exfiltration of source code, credentials, or deployment tokens. An attacker could also use this as a foothold to launch supply chain attacks by modifying dependencies or injecting malicious code into projects built on the compromised machine [1].
Mitigation
The vulnerability is fixed in PNPM versions after 6.15.1. The fix involved replacing the execa library with safe-execa, which prevents binary planting attacks on Windows by properly resolving executable paths [3]. Users on Windows are strongly advised to update to the latest PNPM version (7.x or later) immediately [4]. There is no known workaround for unpatched versions. This vulnerability is not currently listed on CISA's Known Exploited Vulnerabilities (KEV) catalog.
References
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
pnpmnpm | < 6.15.1 | 6.15.1 |
Affected products
2- PNPM/PNPMdescription
Patches
104b7f60861ddfix: prevent binary planting attacks on Windows
22 files changed · +125 −82
.changeset/sweet-insects-carry.md+10 −0 added@@ -0,0 +1,10 @@ +--- +"@pnpm/filter-workspace-packages": patch +"@pnpm/git-fetcher": patch +"@pnpm/git-resolver": patch +"@pnpm/plugin-commands-publishing": patch +"@pnpm/plugin-commands-script-runners": patch +"@pnpm/plugin-commands-setup": patch +--- + +Use safe-execa instead of execa to prevent binary planting attacks on Windows.
packages/beta/package.json+1 −1 modified@@ -18,7 +18,7 @@ }, "devDependencies": { "@zkochan/pkg": "0.0.0-2", - "execa": "^5.0.0" + "execa": "npm:safe-execa@^0.1.1" }, "funding": "https://opencollective.com/pnpm", "homepage": "https://github.com/pnpm/pnpm/blob/master/packages/beta#readme",
packages/beta/scripts/build-artifacts.ts+1 −1 modified@@ -1,4 +1,4 @@ -import execa from 'execa' +import * as execa from 'execa' import path from 'path' function build (target: string) {
packages/filter-workspace-packages/package.json+1 −1 modified@@ -31,7 +31,7 @@ "@pnpm/error": "workspace:2.0.0", "@pnpm/find-workspace-packages": "workspace:3.1.13", "@pnpm/matcher": "workspace:2.0.0", - "execa": "^5.0.0", + "execa": "npm:safe-execa@^0.1.1", "find-up": "^5.0.0", "is-subdir": "^1.1.1", "micromatch": "^4.0.2",
packages/git-fetcher/package.json+1 −1 modified@@ -32,7 +32,7 @@ "@pnpm/fetcher-base": "workspace:11.0.3", "@pnpm/prepare-package": "workspace:1.0.3", "@zkochan/rimraf": "^2.1.1", - "execa": "^5.0.0" + "execa": "npm:safe-execa@^0.1.1" }, "devDependencies": { "@pnpm/cafs": "workspace:3.0.7",
packages/git-resolver/package.json+1 −1 modified@@ -33,7 +33,7 @@ "dependencies": { "@pnpm/fetch": "workspace:4.1.1", "@pnpm/resolver-base": "workspace:8.0.4", - "graceful-git": "^3.0.2", + "graceful-git": "^3.1.2", "hosted-git-info": "npm:@zkochan/hosted-git-info@^4.0.2", "semver": "^7.3.4" },
packages/plugin-commands-env/package.json+1 −1 modified@@ -50,7 +50,7 @@ "devDependencies": { "@pnpm/prepare": "workspace:0.0.26", "@types/adm-zip": "^0.4.34", - "execa": "^5.0.0", + "execa": "npm:safe-execa@^0.1.1", "path-name": "^1.0.0" } }
packages/plugin-commands-env/test/env.test.ts+1 −1 modified@@ -3,7 +3,7 @@ import path from 'path' import PnpmError from '@pnpm/error' import { tempDir } from '@pnpm/prepare' import { env } from '@pnpm/plugin-commands-env' -import execa from 'execa' +import * as execa from 'execa' import PATH from 'path-name' test('install Node (and npm, npx) by exact version of Node.js', async () => {
packages/plugin-commands-listing/package.json+1 −1 modified@@ -37,7 +37,7 @@ "@pnpm/plugin-commands-installation": "workspace:6.1.0", "@pnpm/prepare": "workspace:0.0.26", "@types/ramda": "0.27.39", - "execa": "^5.0.0", + "execa": "npm:safe-execa@^0.1.1", "strip-ansi": "^6.0.0", "write-yaml-file": "^4.2.0" },
packages/plugin-commands-publishing/package.json+1 −1 modified@@ -43,7 +43,6 @@ "@types/sinon": "^9.0.11", "@types/tar": "^4.0.5", "cross-spawn": "^7.0.3", - "execa": "^5.0.0", "is-ci": "^3.0.0", "is-windows": "^1.0.2", "load-json-file": "^6.2.0", @@ -67,6 +66,7 @@ "@pnpm/types": "workspace:7.4.0", "@zkochan/rimraf": "^2.1.1", "enquirer": "^2.3.6", + "execa": "npm:safe-execa@^0.1.1", "fast-glob": "^3.2.4", "npm-packlist": "^2.2.2", "p-filter": "^2.1.0",
packages/plugin-commands-rebuild/package.json+1 −1 modified@@ -39,7 +39,7 @@ "@types/ramda": "0.27.39", "@types/semver": "^7.3.4", "@types/sinon": "^9.0.11", - "execa": "^5.0.0", + "execa": "npm:safe-execa@^0.1.1", "path-exists": "^4.0.0", "sinon": "^11.1.1", "write-yaml-file": "^4.2.0"
packages/plugin-commands-script-runners/package.json+1 −1 modified@@ -37,7 +37,6 @@ "@pnpm/prepare": "workspace:0.0.26", "@types/ramda": "0.27.39", "@zkochan/rimraf": "^2.1.1", - "execa": "^5.0.0", "is-windows": "^1.0.2", "write-yaml-file": "^4.2.0" }, @@ -52,6 +51,7 @@ "@pnpm/sort-packages": "workspace:2.1.1", "@pnpm/store-path": "^5.0.0", "@pnpm/types": "workspace:7.4.0", + "execa": "npm:safe-execa@^0.1.1", "p-limit": "^3.1.0", "path-exists": "^4.0.0", "path-name": "^1.0.0",
packages/plugin-commands-script-runners/test/dlx.ts+1 −1 modified@@ -5,7 +5,7 @@ import { prepareEmpty } from '@pnpm/prepare' test('dlx', async () => { prepareEmpty() - await dlx.handler({}, ['touch', 'foo']) + await dlx.handler({}, ['shx', 'touch', 'foo']) expect(fs.existsSync('foo')).toBeTruthy() })
packages/plugin-commands-script-runners/test/runRecursive.ts+9 −9 modified@@ -58,7 +58,7 @@ test('pnpm recursive run', async () => { ]) const { allProjects, selectedProjectsGraph } = await readProjects(process.cwd(), []) - await execa('pnpm', [ + await execa(pnpmBin, [ 'install', '-r', '--registry', @@ -130,7 +130,7 @@ test('pnpm recursive run reversed', async () => { ]) const { allProjects, selectedProjectsGraph } = await readProjects(process.cwd(), []) - await execa('pnpm', [ + await execa(pnpmBin, [ 'install', '-r', '--registry', @@ -182,7 +182,7 @@ test('pnpm recursive run concurrently', async () => { ]) const { allProjects, selectedProjectsGraph } = await readProjects(process.cwd(), []) - await execa('pnpm', [ + await execa(pnpmBin, [ 'install', '-r', '--registry', @@ -234,7 +234,7 @@ test('`pnpm recursive run` fails when run without filters and no package has the ]) const { allProjects, selectedProjectsGraph } = await readProjects(process.cwd(), []) - await execa('pnpm', [ + await execa(pnpmBin, [ 'install', '-r', '--registry', @@ -352,7 +352,7 @@ test('`pnpm recursive run` succeeds when run against a subset of packages and no ]) const { allProjects } = await readProjects(process.cwd(), []) - await execa('pnpm', [ + await execa(pnpmBin, [ 'install', '-r', '--registry', @@ -409,7 +409,7 @@ test('"pnpm run --filter <pkg>" without specifying the script name', async () => ]) const { allProjects } = await readProjects(process.cwd(), []) - await execa('pnpm', [ + await execa(pnpmBin, [ 'install', '-r', '--registry', @@ -511,7 +511,7 @@ test('testing the bail config with "pnpm recursive run"', async () => { ]) const { allProjects, selectedProjectsGraph } = await readProjects(process.cwd(), []) - await execa('pnpm', [ + await execa(pnpmBin, [ 'install', '-r', '--registry', @@ -592,7 +592,7 @@ test('pnpm recursive run with filtering', async () => { [{ namePattern: 'project-1' }], { workspaceDir: process.cwd() } ) - await execa('pnpm', [ + await execa(pnpmBin, [ 'install', '-r', '--registry', @@ -629,7 +629,7 @@ test('`pnpm recursive run` should always trust the scripts', async () => { }, ]) - await execa('pnpm', [ + await execa(pnpmBin, [ 'install', '-r', '--registry',
packages/plugin-commands-setup/package.json+1 −1 modified@@ -30,7 +30,7 @@ "homepage": "https://github.com/pnpm/pnpm/blob/master/packages/plugin-commands-setup#readme", "dependencies": { "@pnpm/cli-utils": "workspace:0.6.21", - "execa": "^5.0.0", + "execa": "npm:safe-execa@^0.1.1", "render-help": "^1.0.1" }, "funding": "https://opencollective.com/pnpm",
packages/plugin-commands-store/package.json+1 −1 modified@@ -41,7 +41,7 @@ "@types/sinon": "^9.0.11", "@types/ssri": "^7.1.0", "@zkochan/rimraf": "^2.1.1", - "execa": "^5.0.0", + "execa": "npm:safe-execa@^0.1.1", "load-json-file": "^6.2.0", "path-exists": "^4.0.0", "sinon": "^11.1.1",
packages/pnpm/package.json+1 −1 modified@@ -79,7 +79,7 @@ "delay": "^5.0.0", "dir-is-case-sensitive": "^2.0.0", "esbuild": "^0.12.0", - "execa": "^5.0.0", + "execa": "npm:safe-execa@^0.1.1", "exists-link": "2.0.0", "is-ci": "^3.0.0", "is-windows": "^1.0.2",
packages/prepare-package/package.json+1 −1 modified@@ -29,7 +29,7 @@ "dependencies": { "@pnpm/read-package-json": "workspace:5.0.4", "@zkochan/rimraf": "^2.1.1", - "execa": "^5.0.0", + "execa": "npm:safe-execa@^0.1.1", "preferred-pm": "^3.0.3" }, "funding": "https://opencollective.com/pnpm"
packages/supi/package.json+1 −1 modified@@ -85,7 +85,7 @@ "cross-spawn": "^7.0.3", "deep-require-cwd": "1.0.0", "dir-is-case-sensitive": "^2.0.0", - "execa": "^5.0.0", + "execa": "npm:safe-execa@^0.1.1", "exists-link": "2.0.0", "is-ci": "^3.0.0", "is-windows": "^1.0.2",
pnpm-lock.yaml+87 −54 modified@@ -159,7 +159,7 @@ importers: '@pnpm/macos-x64': workspace:0.0.6-6.15.0 '@pnpm/win-x64': workspace:0.0.6-6.15.0 '@zkochan/pkg': 0.0.0-2 - execa: ^5.0.0 + execa: npm:safe-execa@^0.1.1 optionalDependencies: '@pnpm/linux-x64': link:../artifacts/linux-x64 '@pnpm/macos-arm64': link:../artifacts/macos-arm64 @@ -168,7 +168,7 @@ importers: devDependencies: '@pnpm/beta': 'link:' '@zkochan/pkg': 0.0.0-2 - execa: 5.1.1 + execa: /safe-execa/0.1.1 packages/build-modules: specifiers: @@ -625,7 +625,7 @@ importers: '@types/micromatch': ^4.0.1 '@types/ramda': 0.27.39 '@types/touch': ^3.1.1 - execa: ^5.0.0 + execa: npm:safe-execa@^0.1.1 find-up: ^5.0.0 is-ci: ^3.0.0 is-subdir: ^1.1.1 @@ -639,7 +639,7 @@ importers: '@pnpm/error': link:../error '@pnpm/find-workspace-packages': link:../find-workspace-packages '@pnpm/matcher': link:../matcher - execa: 5.1.1 + execa: /safe-execa/0.1.1 find-up: 5.0.0 is-subdir: 1.2.0 micromatch: 4.0.4 @@ -744,14 +744,14 @@ importers: '@pnpm/prepare-package': workspace:1.0.3 '@pnpm/types': workspace:7.4.0 '@zkochan/rimraf': ^2.1.1 - execa: ^5.0.0 + execa: npm:safe-execa@^0.1.1 p-defer: ^3.0.0 tempy: ^1.0.0 dependencies: '@pnpm/fetcher-base': link:../fetcher-base '@pnpm/prepare-package': link:../prepare-package '@zkochan/rimraf': 2.1.1 - execa: 5.1.1 + execa: /safe-execa/0.1.1 devDependencies: '@pnpm/cafs': link:../cafs '@pnpm/git-fetcher': 'link:' @@ -768,14 +768,14 @@ importers: '@types/hosted-git-info': ^3.0.1 '@types/is-windows': ^1.0.0 '@types/semver': ^7.3.4 - graceful-git: ^3.0.2 + graceful-git: ^3.1.2 hosted-git-info: npm:@zkochan/hosted-git-info@^4.0.2 is-windows: ^1.0.2 semver: ^7.3.4 dependencies: '@pnpm/fetch': link:../fetch '@pnpm/resolver-base': link:../resolver-base - graceful-git: 3.0.2 + graceful-git: 3.1.2 hosted-git-info: /@zkochan/hosted-git-info/4.0.2 semver: 7.3.5 devDependencies: @@ -1788,7 +1788,7 @@ importers: '@types/adm-zip': ^0.4.34 '@zkochan/cmd-shim': ^5.1.3 adm-zip: ^0.5.5 - execa: ^5.0.0 + execa: npm:safe-execa@^0.1.1 load-json-file: ^6.2.0 path-name: ^1.0.0 rename-overwrite: ^4.0.0 @@ -1818,7 +1818,7 @@ importers: '@pnpm/plugin-commands-env': 'link:' '@pnpm/prepare': link:../../privatePackages/prepare '@types/adm-zip': 0.4.34 - execa: 5.1.1 + execa: /safe-execa/0.1.1 path-name: 1.0.0 packages/plugin-commands-import: @@ -2002,7 +2002,7 @@ importers: '@pnpm/prepare': workspace:0.0.26 '@pnpm/types': workspace:7.4.0 '@types/ramda': 0.27.39 - execa: ^5.0.0 + execa: npm:safe-execa@^0.1.1 ramda: ^0.27.1 render-help: ^1.0.1 strip-ansi: ^6.0.0 @@ -2024,7 +2024,7 @@ importers: '@pnpm/plugin-commands-listing': 'link:' '@pnpm/prepare': link:../../privatePackages/prepare '@types/ramda': 0.27.39 - execa: 5.1.1 + execa: /safe-execa/0.1.1 strip-ansi: 6.0.0 write-yaml-file: 4.2.0 @@ -2120,7 +2120,7 @@ importers: '@zkochan/rimraf': ^2.1.1 cross-spawn: ^7.0.3 enquirer: ^2.3.6 - execa: ^5.0.0 + execa: npm:safe-execa@^0.1.1 fast-glob: ^3.2.4 is-ci: ^3.0.0 is-windows: ^1.0.2 @@ -2151,6 +2151,7 @@ importers: '@pnpm/types': link:../types '@zkochan/rimraf': 2.1.1 enquirer: 2.3.6 + execa: /safe-execa/0.1.1 fast-glob: 3.2.7 npm-packlist: 2.2.2 p-filter: 2.1.0 @@ -2171,7 +2172,6 @@ importers: '@types/sinon': 9.0.11 '@types/tar': 4.0.5 cross-spawn: 7.0.3 - execa: 5.1.1 is-ci: 3.0.0 is-windows: 1.0.2 load-json-file: 6.2.0 @@ -2210,7 +2210,7 @@ importers: '@zkochan/npm-package-arg': ^2.0.1 camelcase-keys: ^6.2.2 dependency-path: workspace:8.0.4 - execa: ^5.0.0 + execa: npm:safe-execa@^0.1.1 graph-sequencer: 2.0.0 load-json-file: ^6.2.0 mem: ^8.0.0 @@ -2262,7 +2262,7 @@ importers: '@types/ramda': 0.27.39 '@types/semver': 7.3.8 '@types/sinon': 9.0.11 - execa: 5.1.1 + execa: /safe-execa/0.1.1 path-exists: 4.0.0 sinon: 11.1.2 write-yaml-file: 4.2.0 @@ -2285,7 +2285,7 @@ importers: '@pnpm/types': workspace:7.4.0 '@types/ramda': 0.27.39 '@zkochan/rimraf': ^2.1.1 - execa: ^5.0.0 + execa: npm:safe-execa@^0.1.1 is-windows: ^1.0.2 p-limit: ^3.1.0 path-exists: ^4.0.0 @@ -2305,6 +2305,7 @@ importers: '@pnpm/sort-packages': link:../sort-packages '@pnpm/store-path': 5.0.0 '@pnpm/types': link:../types + execa: /safe-execa/0.1.1 p-limit: 3.1.0 path-exists: 4.0.0 path-name: 1.0.0 @@ -2318,7 +2319,6 @@ importers: '@pnpm/prepare': link:../../privatePackages/prepare '@types/ramda': 0.27.39 '@zkochan/rimraf': 2.1.1 - execa: 5.1.1 is-windows: 1.0.2 write-yaml-file: 4.2.0 @@ -2377,11 +2377,11 @@ importers: '@pnpm/logger': ^4.0.0 '@pnpm/plugin-commands-setup': 'link:' '@pnpm/prepare': workspace:0.0.26 - execa: ^5.0.0 + execa: npm:safe-execa@^0.1.1 render-help: ^1.0.1 dependencies: '@pnpm/cli-utils': link:../cli-utils - execa: 5.1.1 + execa: /safe-execa/0.1.1 render-help: 1.0.2 devDependencies: '@pnpm/logger': 4.0.0 @@ -2416,7 +2416,7 @@ importers: archy: ^1.0.0 dependency-path: workspace:8.0.4 dint: ^5.1.0 - execa: ^5.0.0 + execa: npm:safe-execa@^0.1.1 load-json-file: ^6.2.0 p-filter: ^2.1.0 path-exists: ^4.0.0 @@ -2456,7 +2456,7 @@ importers: '@types/sinon': 9.0.11 '@types/ssri': 7.1.1 '@zkochan/rimraf': 2.1.1 - execa: 5.1.1 + execa: /safe-execa/0.1.1 load-json-file: 6.2.0 path-exists: 4.0.0 sinon: 11.1.2 @@ -2525,7 +2525,7 @@ importers: delay: ^5.0.0 dir-is-case-sensitive: ^2.0.0 esbuild: ^0.12.0 - execa: ^5.0.0 + execa: npm:safe-execa@^0.1.1 exists-link: 2.0.0 is-ci: ^3.0.0 is-windows: ^1.0.2 @@ -2617,7 +2617,7 @@ importers: delay: 5.0.0 dir-is-case-sensitive: 2.0.0 esbuild: 0.12.24 - execa: 5.1.1 + execa: /safe-execa/0.1.1 exists-link: 2.0.0 is-ci: 3.0.0 is-windows: 1.0.2 @@ -2670,12 +2670,12 @@ importers: '@pnpm/prepare-package': 'link:' '@pnpm/read-package-json': workspace:5.0.4 '@zkochan/rimraf': ^2.1.1 - execa: ^5.0.0 + execa: npm:safe-execa@^0.1.1 preferred-pm: ^3.0.3 dependencies: '@pnpm/read-package-json': link:../read-package-json '@zkochan/rimraf': 2.1.1 - execa: 5.1.1 + execa: /safe-execa/0.1.1 preferred-pm: 3.0.3 devDependencies: '@pnpm/prepare-package': 'link:' @@ -3046,7 +3046,7 @@ importers: deep-require-cwd: 1.0.0 dependency-path: workspace:8.0.4 dir-is-case-sensitive: ^2.0.0 - execa: ^5.0.0 + execa: npm:safe-execa@^0.1.1 exists-link: 2.0.0 graph-sequencer: 2.0.0 is-ci: ^3.0.0 @@ -3146,7 +3146,7 @@ importers: cross-spawn: 7.0.3 deep-require-cwd: 1.0.0 dir-is-case-sensitive: 2.0.0 - execa: 5.1.1 + execa: /safe-execa/0.1.1 exists-link: 2.0.0 is-ci: 3.0.0 is-windows: 1.0.2 @@ -3372,10 +3372,10 @@ importers: utils/scripts: specifiers: - execa: ^5.0.0 + execa: npm:safe-execa@^0.1.1 make-empty-dir: ^2.0.0 dependencies: - execa: 5.1.1 + execa: /safe-execa/0.1.1 make-empty-dir: 2.0.0 utils/tsconfig: @@ -4431,15 +4431,15 @@ packages: load-json-file: 6.2.0 dev: true - /@pnpm/cli-utils/0.6.17_@pnpm+logger@4.0.0: - resolution: {integrity: sha512-4zsKAifcdt8rf66+GE6tpLwTwdPLU9TfeTxSbHSzqZwnFhCxUCN0FzuI+vv7RUOaxTS9D1wcTHIjtoqJCUbb4g==} + /@pnpm/cli-utils/0.6.21_@pnpm+logger@4.0.0: + resolution: {integrity: sha512-G0/YvHfNB+umbrEwJz6Pmd6GMxpm1xDsSeGaEu/aM/Ex31OzhiSZ8XOaIQiU160he/z3kGs9ySOPZDxhRJeLcQ==} engines: {node: '>=12.17'} peerDependencies: '@pnpm/logger': ^4.0.0 dependencies: '@pnpm/cli-meta': 2.0.0 - '@pnpm/config': 12.4.7 - '@pnpm/default-reporter': 8.1.12_@pnpm+logger@4.0.0 + '@pnpm/config': 12.5.0 + '@pnpm/default-reporter': 8.2.1_@pnpm+logger@4.0.0 '@pnpm/error': 2.0.0 '@pnpm/logger': 4.0.0 '@pnpm/manifest-utils': 2.0.4_@pnpm+logger@4.0.0 @@ -4456,13 +4456,13 @@ packages: chalk: 4.1.2 dev: false - /@pnpm/config/12.4.7: - resolution: {integrity: sha512-Y0yE/lYzJyNGdZFjmc1lzk/tECG+XRXi0CAVrroJIbwrCspmtuoLewSbujXj/49G2Eti0p520/OuWI9o/xbvgg==} + /@pnpm/config/12.5.0: + resolution: {integrity: sha512-xN+rCE0JkOu5rxgIGRUjpunJB1tn6SzINp7eLyat0v+slpuccweXIoPYKUt6QTDjJR2CRJHrWZ9lfG+zA8BYuQ==} engines: {node: '>=12.17'} dependencies: '@pnpm/constants': 5.0.0 '@pnpm/error': 2.0.0 - '@pnpm/global-bin-dir': 2.0.0 + '@pnpm/global-bin-dir': 3.0.0 '@pnpm/types': 7.4.0 '@zkochan/npm-conf': 2.0.2 camelcase: 6.2.0 @@ -4488,16 +4488,16 @@ packages: '@pnpm/types': 7.4.0 dev: true - /@pnpm/default-reporter/8.1.12_@pnpm+logger@4.0.0: - resolution: {integrity: sha512-ZSgH5yyGKmRkJLfFHJ4ptxoNiUrLhEUxh9Ff67s978D97/DEWdg/DjwFx5TToCvPW9l7cT5Zo0nP+npbvmdQjQ==} + /@pnpm/default-reporter/8.2.1_@pnpm+logger@4.0.0: + resolution: {integrity: sha512-4yusyK4dGyk8kDJaVP1yCdsgSJnB7lS/9BSXLVh0iD2hrOwEMBKO6yBhEynuOVBYbGTcWxZ9BahnFMvrQGAS+w==} engines: {node: '>=12.17'} dependencies: - '@pnpm/config': 12.4.7 + '@pnpm/config': 12.5.0 '@pnpm/core-loggers': 6.0.4_@pnpm+logger@4.0.0 '@pnpm/error': 2.0.0 '@pnpm/types': 7.4.0 ansi-diff: 1.1.1 - boxen: 5.0.1 + boxen: 5.1.1 chalk: 4.1.2 normalize-path: 3.0.0 pretty-bytes: 5.6.0 @@ -4543,11 +4543,11 @@ packages: find-up: 5.0.0 dev: true - /@pnpm/find-workspace-packages/3.1.9_@pnpm+logger@4.0.0: - resolution: {integrity: sha512-N2xJqnux0cFhyvWxxE0oO0b26xJa0GyfsZI0qBVjzUb9m5kpPPahmSqYIECQTWmEfhxQeqbvgyTsVfmUmLV99A==} + /@pnpm/find-workspace-packages/3.1.13_@pnpm+logger@4.0.0: + resolution: {integrity: sha512-WqqmNhlIv7utYie+gIAmho23bFPehKT08o2Jkg2n79Tz9rRCxXxyKqaPaUPObamClTgqDrZPEGVTxx7wbeOBpA==} engines: {node: '>=12.17'} dependencies: - '@pnpm/cli-utils': 0.6.17_@pnpm+logger@4.0.0 + '@pnpm/cli-utils': 0.6.21_@pnpm+logger@4.0.0 '@pnpm/constants': 5.0.0 '@pnpm/types': 7.4.0 find-packages: 8.0.5 @@ -4556,8 +4556,8 @@ packages: - '@pnpm/logger' dev: true - /@pnpm/global-bin-dir/2.0.0: - resolution: {integrity: sha512-TNV0RbtiNx/NfiB8iJfttySUwiadJx2kQb/yHbaCAXx3KGOKSgfA2mh+Lr4o40wIgOx7ROuoKZ0iVxYfq0jevA==} + /@pnpm/global-bin-dir/3.0.0: + resolution: {integrity: sha512-48Hw1JGftIO84o41Pm1+1kIulnFL0ca5VGPIQ+A1q1l3IVlxp2LnCX3424p+XIGG54US4pEQ7kMQaXhZBEBqbQ==} engines: {node: '>=12.17'} dependencies: '@pnpm/error': 2.0.0 @@ -4596,7 +4596,7 @@ packages: hasBin: true dependencies: '@pnpm/find-workspace-dir': 3.0.1 - '@pnpm/find-workspace-packages': 3.1.9_@pnpm+logger@4.0.0 + '@pnpm/find-workspace-packages': 3.1.13_@pnpm+logger@4.0.0 '@pnpm/logger': 4.0.0 '@pnpm/types': 7.4.0 load-json-file: 6.2.0 @@ -5435,6 +5435,13 @@ packages: string-width: 4.2.2 dev: false + /@zkochan/which/2.0.3: + resolution: {integrity: sha512-C1ReN7vt2/2O0fyTsx5xnbQuxBrmG5NMSbcIkPKCCfCTJgpZBsuRYzFXHj3nVq8vTfK7vxHUmzfCpSHgO7j4rg==} + engines: {node: '>= 8'} + hasBin: true + dependencies: + isexe: 2.0.0 + /JSONStream/1.3.5: resolution: {integrity: sha512-E+iruNOY8VV9s4JEbe1aNEm6MiszPRr/UfcHMz0TQh1BXSxHK+ASV1R6W4HpjBhSeS+54PIsAMCBmwD06LLsqQ==} hasBin: true @@ -6267,6 +6274,21 @@ packages: type-fest: 0.20.2 widest-line: 3.1.0 wrap-ansi: 7.0.0 + dev: false + + /boxen/5.1.1: + resolution: {integrity: sha512-JtIQYts08AFAYGF4eSh3pUt3NQkYV/e75pRtQmAVTLNWR/1L7Bsswxlgzgk8nmLEM+gFszsIlA9BgD3XnSqp3g==} + engines: {node: '>=10'} + dependencies: + ansi-align: 3.0.0 + camelcase: 6.2.0 + chalk: 4.1.2 + cli-boxes: 2.2.1 + string-width: 4.2.2 + type-fest: 0.20.2 + widest-line: 3.1.0 + wrap-ansi: 7.0.0 + dev: true /brace-expansion/1.1.11: resolution: {integrity: sha512-iCuPHDFgrHX7H2vEI/5xpz07zSHB00TpugqhmYtVmMO6518mCuRMoOYFldEBl0g187ufozdaHgWKcYFb61qGiA==} @@ -8003,7 +8025,7 @@ packages: merge-stream: 2.0.0 npm-run-path: 4.0.1 onetime: 5.1.2 - signal-exit: 3.0.3 + signal-exit: 3.0.4 strip-final-newline: 2.0.0 /exists-link/2.0.0: @@ -8755,12 +8777,12 @@ packages: /graceful-fs/4.2.8: resolution: {integrity: sha512-qkIilPUYcNhJpd33n0GBXTB1MMPp14TxEsEs0pTrsSVucApsYzW5V+Q8Qxhik6KU3evy+qkAAowTByymK0avdg==} - /graceful-git/3.0.2: - resolution: {integrity: sha512-fZ5zG+uT3zRqpRU7kXEUQkbRfIK66JRLfV528Glm703gr/qVfF0zppqC4ksuO1fLmlxBNAxLqQUfhF/vAriMtQ==} + /graceful-git/3.1.2: + resolution: {integrity: sha512-Xyh9Y43yA23/KQ16mpwO4zkzVGUAXyzuSVZQxw9ddQklssIYIY0el24VYfJBFhyCWGriZPRAB2nCgsDizqna9g==} engines: {node: '>=10'} dependencies: - execa: 5.1.1 retry: 0.12.0 + safe-execa: 0.1.1 dev: false /graceful-readlink/1.0.1: @@ -8799,7 +8821,7 @@ packages: source-map: 0.6.1 wordwrap: 1.0.0 optionalDependencies: - uglify-js: 3.14.1 + uglify-js: 3.14.2 dev: true /har-schema/2.0.0: @@ -12922,6 +12944,14 @@ packages: /safe-buffer/5.2.1: resolution: {integrity: sha512-rp3So07KcdmmKbGvgaNxQSJr7bGVSVk5S9Eq1F+ppbRo70+YeaDxkw5Dd8NPN+GD6bjnYm2VuPuCXmpuYvmCXQ==} + /safe-execa/0.1.1: + resolution: {integrity: sha512-2KPID7iC4AMoJVozDPtcLGV+7LdpE0sR1hPkJUCaEnRsiYSZH2wgOFvxZ9UOtj1r8hNk8pVWn1tgmaEyyFZ4NA==} + engines: {node: '>=12'} + dependencies: + '@zkochan/which': 2.0.3 + execa: 5.1.1 + path-name: 1.0.0 + /safe-regex/1.1.0: resolution: {integrity: sha1-QKNmnzsHfR6UPURinhV91IAjvy4=} dependencies: @@ -13105,6 +13135,9 @@ packages: /signal-exit/3.0.3: resolution: {integrity: sha512-VUJ49FC8U1OxwZLxIbTTrDvLnf/6TDgxZcK8wxR8zs13xpx7xbG60ndBlhNrFi2EMuFRoeDoJO7wthSLq42EjA==} + /signal-exit/3.0.4: + resolution: {integrity: sha512-rqYhcAnZ6d/vTPGghdrw7iumdcbXpsk1b8IG/rz+VWV51DM0p7XCtMoJ3qhPLIbp3tvyt3pKRbaaEMZYpHto8Q==} + /signed-varint/2.0.1: resolution: {integrity: sha1-UKmYnafJjCxh2tEZvJdHDvhSgSk=} dependencies: @@ -14194,8 +14227,8 @@ packages: hasBin: true dev: true - /uglify-js/3.14.1: - resolution: {integrity: sha512-JhS3hmcVaXlp/xSo3PKY5R0JqKs5M3IV+exdLHW99qKvKivPO4Z8qbej6mte17SOPqAOVMjt/XGgWacnFSzM3g==} + /uglify-js/3.14.2: + resolution: {integrity: sha512-rtPMlmcO4agTUfz10CbgJ1k6UAoXM2gWb3GoMPPZB/+/Ackf8lNWk11K4rYi2D0apgoFRLtQOZhb+/iGNJq26A==} engines: {node: '>=0.8.0'} hasBin: true requiresBuild: true
utils/scripts/package.json+1 −1 modified@@ -3,7 +3,7 @@ "version": "0.0.0", "private": true, "dependencies": { - "execa": "^5.0.0", + "execa": "npm:safe-execa@^0.1.1", "make-empty-dir": "^2.0.0" } }
utils/scripts/src/copy-artifacts.ts+1 −1 modified@@ -1,5 +1,5 @@ import fs from 'fs' -import execa from 'execa' +import * as execa from 'execa' import path from 'path' import makeEmptyDir from 'make-empty-dir'
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-9m87-6fj3-c5xhghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-26183ghsaADVISORY
- github.com/pnpm/pnpm/commit/04b7f60861ddee8331e50d70e193d1e701abeefbghsaWEB
- github.com/pnpm/pnpm/releases/tag/v6.15.1ghsaWEB
- www.sonarsource.com/blog/securing-developer-tools-package-managersghsaWEB
- www.sonarsource.com/blog/securing-developer-tools-package-managers/mitre
News mentions
0No linked articles in our index yet.